image-size 2.0.2 Denial of Service via Infinite Loop in JXL/HEIF Parser
Summary
| CVE | CVE-2025-71319 |
|---|---|
| State | PUBLISHED |
| Assigner | VulnCheck |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-09 21:17:03 UTC |
| Updated | 2026-07-03 13:16:56 UTC |
| Description | image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted image buffer with a zero-valued size field in a recognized box-type. Attackers can trigger an infinite loop in the JXL or HEIF image parsers by providing a crafted image containing a box with a size of zero, causing the offset to never advance and permanently hanging the application. |
Risk And Classification
Primary CVSS: v4.0 8.7 HIGH from [email protected]
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.006250000 probability, percentile 0.455780000 (date 2026-07-02)
Problem Types: CWE-835 | CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 8.7 | HIGH | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | CVSS | 8.7 | HIGH | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
| 3.1 | ADP | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | [email protected] | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | CNA | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVSS v4.0 Breakdown
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Image-size | Image-size | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Image-size | Image-size | affected 1.1.0 1.2.1 semver | Not specified |
| CNA | Image-size | Image-size | affected 2.0.0 2.0.2 semver | Not specified |
| ADP | Red Hat | Red Hat Discovery 2 | Not specified | Not specified |
| ADP | Red Hat | Gatekeeper 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Podman Desktop | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Trusted Artifact Signer | Not specified | Not specified |
| ADP | Red Hat | Red Hat Fuse 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat JBoss Enterprise Application Platform 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat JBoss Enterprise Application Platform 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat JBoss Enterprise Application Platform Expansion Pack | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Dev Spaces | Not specified | Not specified |
| ADP | Red Hat | Red Hat Satellite 6 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.vulncheck.com/advisories/image-size-denial-of-service-via-infinite-loop-in-... | [email protected] | www.vulncheck.com | Third Party Advisory |
| web.archive.org/web/20260224152152/https://github.com/image-size/image-size/p... | [email protected] | web.archive.org | Issue Tracking, Patch |
| access.redhat.com/errata/RHSA-2026:33313 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| access.redhat.com/security/cve/CVE-2025-71319 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| joshua.hu/image-size-infinite-loop-dos-vulnerabilities | [email protected] | joshua.hu | Exploit, Third Party Advisory |
| security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-71319.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| github.com/image-size/image-size/security/advisories/GHSA-m5qc-5hw7-8vg7 | MITRE | github.com | |
| www.vulncheck.com/advisories/image-size-denial-of-service-via-infinite-loop-in-... | MITRE | www.vulncheck.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Joshua Rogers (@MegaManSec) (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-06-09T21:01:11.339Z | Reported to Red Hat. |
| ADP | 2026-06-09T19:57:16.125Z | Made public. |
Solutions
ADP: RHSA-2026:33313: Red Hat Discovery 2
Workarounds
ADP: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.